The present invention is directed to a method for testing a terminal communicating with chip cards using an action code respectively derived both in the chip card and in the terminal from a common secret code and from a common algorithm dependent on a common random number.
The protection of data plays an increasingly important role in modern data processing and communications systems. The quality of a system with respect to adequate data protection is critically dependent upon the degree to which one succeeds in making access to the system possible only for authorized persons and, conversely, keeping non-authorized persons locked out with absolute reliability. A simple although not absolutely certain possibility for checking the access authorization to a system is to use passwords that are known only to the authorized user and which the user can change as often as he desires. Since there is a risk that such passwords can be obtained by unauthorized persons, additional protection measures are indispensable. For example, one of these measures is the coding and decoding of the transmitted information, a measure that can be realized in data processing systems utilizing, among other things, a chip card. With the increasing use of the chip card in data processing systems, however, an additional security risk arises because chip cards can be relatively easily lost. Care must therefore be absolutely exercised to insure that the chip card is protected against potential misuse in all instances when lost. The chip card is therefore designed such that the data stored in a protected chip card can only be accessed when the user inputs in advance an identifier, for example a personal identification number, referred to as a PIN, that is stored only in the chip card.
A further security barrier can be erected with the assistance of authentification of the chip card vis-a-vis the system. This authentication prevents an arbitrary subscriber from accessing secret information in the system by pretending to be authorized. A critical prerequisite for the authentification is a personal feature of the subscriber that cannot be copied. This feature of the subscriber is achieved by use of a secret cipher for the coding and decoding that is only known to the two parties, that is, the chip card and the system.
The close, circuit-oriented linkage between the chip card and a user terminal, however, assumes that not only the user of the chip card documents his identity but also that the data flow sequences without manipulation in the terminal. Included thereamong, for example, is that the identification number PIN input by the chip card user cannot be read out and that data displayed by the terminal also coincides with the data transferred to the chip card. A manipulation of the nature that supposedly true data is displayed to the user and that false data is processed in the chip card must be made impossible with a high degree of reliability.